The present disclosure relates generally to credential abuse prevention and, more specifically, to a method and system for credential abuse prevention and efficient revocation.
Attribute-based anonymous credentials can be a powerful instrument for privacy-preserving authentication. However, privacy features such as anonymity and unlinkability prevent service providers from knowing if the credentials are in the hands of a legitimate user or not. The verifier cannot tell if two presentations were done by the same user or not without being able to track them.
Accordingly, in an attempt to lessen the risk of illegitimate use, device binding mechanisms such as direct anonymous attestation (DAA) scheme can be implemented to help by preventing users from using their credentials without the device where the secret is embedded. However, the software-based credentials that are stored in a cloud web-based or a mobile credential wallet can be copied and used by the other users. Furthermore, if the device is stolen or shared between the users, the number of presentations that are done with the misused credentials are not limited. Anonymous e-cash systems provide mechanisms that try to help by preventing over-spending of credentials, but do not consider the timing and sharing of the credentials.
Therefore, if the wallet is stolen or credentials are being shared among malicious users there is no mechanism in place that prevents the credentials misuse while still preserving users' anonymity and unlinkability.